A deserialization vulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-collections library.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-6934 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available

2016-01-29 VMSA-2015-0009.1
Updated security advisory in conjunction with the release of vRealize
Operations 6.2 on 2016-01-28. Added a note below the table in section 3.a
that exploitation of this issue in vCenter Application Discovery
Manager is limited to local privilege escalation.

2016-06-14 VMSA-2015-0009.3
Updated security advisory to reflect that vCenter Operations 5.x is
not affected (earlier versions of this advisory said “Patch Pending”).
Added that no patch is planned for vCenter Application Discovery
Manager.